Volume Analysis – Intro Chapter 4, Carrier 1.Volume structure 2.Volume analysis 3.Volume recovery

Slides:



Advertisements
Similar presentations
Hard Disks Low-level format- organizes both sides of each platter into tracks and sectors to define where items will be stored on the disk. Partitioning:
Advertisements

Storage Management Lecture 7.
ITI-481: Unix Administration Rutgers University Center for Applied Computer Technologies Christopher Uriarte, Instructor Meeting 4.
Chapter 12: File System Implementation
Working with Disks and Devices
COMP091 – Operating Systems 1
Operating Systems File Management.
Volume Analysis. What is a volume?  Carrier defines a volume: “… a collection of addressable sectors that an Operating System (OS) or application can.
BSD Partitions COEN 152/252 Computer Forensics. BSD Partitions Some BSD systems use IA32 hardware  Designed to co-exists with MS partitions.  Use DOS.
Computer System Basics 2 Hard Drive Storage & File Partitions Computer Forensics BACS 371.
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.
04/21/2004CSCI 315 Operating Systems Design1 Disk Management.
BACS 371 Computer Forensics
File Systems Examples.
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Computer/Digital Forensics
Managing Your Hard Disk and Operating System 23,26 March :30pm - 4:00pm.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
1 Web Server Administration Chapter 3 Installing the Server.
1 File Management in Representative Operating Systems.
Disk Volume Management CSS-1. Terms  Extent – any contiguous set of clusters  Partition – extent treated as a disk  Volume - partition formatted with.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
FDISK Partitioning Hard Disks. History We bought our new hard disk drive –Right size for BIOS and OS –Right connections (PATA/SATA) We installed our new.
Implementing Hard Drives Chapter 10
Computer Forensics DOS Partitioning. Partitioning Practices  We separate partition practices into those used by Personal Computers:  DOS  Apple Servers.
1 Partitioning a Hard Drive ©Richard Goldman Revised January 8, 2001 Revised December 9, 2002.
BACS 371 Computer Forensics
CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
Introduction to Hard Drives Chapter 6 - Key Terms Information Compiled by Diane Ferris, Michele Henderson & Vicki Kertz.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
PC Maintenance: Preparing for A+ Certification Chapter 10: Introduction to Disk Storage.
MCTS Guide to Microsoft Windows Vista Chapter 4 Managing Disks.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Windows NTFS Introduction to Operating Systems: Module 15.
1 Interface Two most common types of interfaces –SCSI: Small Computer Systems Interface (servers and high-performance desktops) –IDE/ATA: Integrated Drive.
Managing Disks and Drives Chapter 13 powered by dj.
Multiboot System under Windows XP – Ubuntu – Windows 7 Qiong LIN - 28 April 2012.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
Implementing Hard Drives. Partitioning and Formatting Process.
Windows Vista Inside Out Chapter 28 - Chapter 28 - Managing Disks and Drives Last modified
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
MCSE Guide to Microsoft Windows Vista Professional Chapter 5 Managing File Systems.
Lecture 27. Extended Read Service used for extended read is int 13h/42h On Entry AH=42H DL=drive # DS:SI= far address of Disk address packet On Exit If.
FAT File Allocation Table
Chapter 8: Installing Linux The Complete Guide To Linux System Administration.
File system In computing, a file system is a method of storing and organizing computer files and the data they contain to make it easy to find and access.
Computer Forensics Hard Drive Format.
Chapter 7 Volume versus Partition. Cylinder, Head, and Sector (CHS) Hard or fixed disks store information on a revolving platter of metal or glass coated.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Disk storage systems Question#1 (True/False) A track is divided into multiple units called sectors.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Windows 10 vs. 7 – Disk Drives NORTH TEXAS PC USER GROUP WINDOWS INSIDE-OUT SIG GLYNN BROOKS FEBRUARY 20, 2016.
Master Boot Record (MBR)
Computer/Digital Forensics
Chapter 11: File System Implementation
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Chapter 12: File System Implementation
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Introduction to Computers
Partitioning a Hard Drive
File Structure 2018, Spring Pusan National University Joon-Seok Kim
Booting Up 15-Nov-18 boot.ppt.
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
GUID Partition Table Unified Extensible Firmware Interface (UEFI)
Storage Management Lecture 7.
Department of Computer Science
Chapter 5 File Systems -Compiled for MCA, PU
Presentation transcript:

Volume Analysis – Intro Chapter 4, Carrier 1.Volume structure 2.Volume analysis 3.Volume recovery e512/?utm_source=rss&utm_medium=rss&utm_campaign=windows-7-mbr-advanced-format- drives-e512st.txt

Nomenclature Windows Partitions are referred to as “Volumes” The rest of the world Partitions are referred to as partitions Volume is a physical drive VG – Volume Group is a logical grouping of partitions managed by the LVM

Volume Functions A volume is a collection of addressable sectors that can be used for storage Assemble multiple storage volumes into one. Partition a storage volume into independent partitions

Partitions, Named Volumes Windows Example Partition 1Partition 2Partition 3 Hard Disk Volume C: VolumeD: VolumeE: Volume Thanks to Priscilla Source: B. Carrier

Partitions A partition is a collection of consecutive sectors in a volume A partition is also a volume A partition's parent volume is the volume in which the partition is located

Partition Systems Structure of partition system is OS dependent Independent of the disk/interface Most volumes have a partition table Each entry describes the location, size and type of partition Usually there is nothing that distinguishes the beginning or end of a partition If the volume is one partition, the partition table is often missing.

Generic Partition Table Starting Sector 0 99 FAT NTFS NTFS Ending Sector File System Type

Volume Assembly Some OS's force each device/disk to be a volume Windows and DOS Some of the more robust OS's use volume assembly to make many/all disks look like one volume. Unix and derivations

Windows Mount Points Volume 1 C: D: E: \Program Files\ \Windows\ \Torture Office\ Volume 2 CD-ROM

Unix Mount Points Volume 1 / CD-ROM Volume 2 /etc/ /mnt/cdrom/ /tmp/ /usr/

Sector Addressing LBA – Logical Block Address is a physical sector address beginning at 0 which is the first sector of the disk. LVA – Logical Volume Address is the address of a sector relative to the start of its volume. Distinguish between disk and partition Logical disk volume address Logical partition volume address

Addressing Terminology Partition 1 Starting Address: 0 Physical address: 100 Logical Disk Volume Address: 100 Logical Volume Part. Address: 100 Partition 2 Starting Address: 864 Physical address: 569 Logical Disk Volume Address: 569 Logical Volume Part. Address: N/A Physical address: 964 Logical Disk Volume Address: 964 Logical Volume Part. Address: 100

Volume Analysis Partition layout of the volume is important Consistency Corruption Unallocated space Evidence Recovery

Techniques Data in a partition is likely to be a file system. Data in sectors not in a partition is likely to be data left over from a previous life Using dd we can create a file for each partition Using dd we can also create files of consecutive unallocated sectors

Consistency Checks Consecutive collections of sectors, utilizing the entire disk/device Consecutive collections of sectors, not utilizing the entire disk/device Over lapping collections of sectors Missing partition tables or corrupted tables, intentional or accidental

DOS Partitions MBR is the first 512-byte sector  Boot code (Bytes 0-445)  Partition table (bytes )  Signature (bytes , value = 0xAA55) Partition table has four entries

DOS Disk Partition 1Partition 2 Partition Table

Extended Partitions Partition 1Partition 2 Partition Table Extended Partition First Extended Partition is always number 5.

Extended Partitions PartitionExtended Partition Partition Extended Partition PartitionExtended Partition Partition

Master Boot Sector/Record First sector of the device Contains boot code Contains the partition table Last byte is 0x55AA

MBS Structure 1FE Boot code – Master Boot Record, MBR 1CE 1DE 1FD 1FF 1EE 1BE 000 1ED 1DD 1CD 1BD 1 st Partition Entry 2 nd Partition Entry 3 st Partition Entry 4 st Partition Entry Signature value = 0x55 aa

Partition Table Four 16-byte Entries Each entry describes a partition  Bootable flag (0x80 means bootable)  Starting CHS address  Partition type  Ending CHS address  Starting LBA address  Size (number of sectors in partition)

Partition Entry Structure 0C Bootable flag: 0x80 – bootable, 0x00 – not bootable B 0F Starting CHS Address – (C, H, S) Partition type – 0x83 = linux, 0x82 = swap Ending CHS Address Starting LBA Address Size in Sectors

Partition Types 0 Empty 1e Hidden W95 FAT1 80 Old Minix be Solaris boot 1 FAT12 24 NEC DOS 81 Minix / old Lin bf Solaris 2 XENIX root 39 Plan 9 82 Linux swap / So c1 DRDOS/sec (FAT- 3 XENIX usr 3c PartitionMagic 83 Linux c4 DRDOS/sec (FAT- 4 FAT16 <32M 40 Venix OS/2 hidden C: c6 DRDOS/sec (FAT- 5 Extended 41 PPC PReP Boot 85 Linux extended c7 Syrinx 6 FAT16 42 SFS 86 NTFS volume set da Non-FS data 7 HPFS/NTFS 4d QNX4.x 87 NTFS volume set db CP/M / CTOS /. 8 AIX 4e QNX4.x 2nd part 88 Linux plaintext de Dell Utility 9 AIX bootable 4f QNX4.x 3rd part 8e Linux LVM df BootIt a OS/2 Boot Manag 50 OnTrack DM 93 Amoeba e1 DOS access b W95 FAT32 51 OnTrack DM6 Aux 94 Amoeba BBT e3 DOS R/O c W95 FAT32 (LBA) 52 CP/M 9f BSD/OS e4 SpeedStor e W95 FAT16 (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi eb BeOS fs f W95 Ext'd (LBA) 54 OnTrackDM6 a5 FreeBSD ee EFI GPT 10 OPUS 55 EZ-Drive a6 OpenBSD ef EFI (FAT-12/16/ 11 Hidden FAT12 56 Golden Bow a7 NeXTSTEP f0 Linux/PA-RISC b 12 Compaq diagnost 5c Priam Edisk a8 Darwin UFS f1 SpeedStor 14 Hidden FAT16 <3 61 SpeedStor a9 NetBSD f4 SpeedStor 16 Hidden FAT16 63 GNU HURD or Sys ab Darwin boot f2 DOS secondary 17 Hidden HPFS/NTF 64 Novell Netware b7 BSDI fs fd Linux raid auto 18 AST SmartSleep 65 Novell Netware b8 BSDI swap fe LANstep 1b Hidden W95 FAT3 70 DiskSecure Mult bb Boot Wizard hid ff BBT 1c Hidden W95 FAT3 75 PC/IX

Decoding Partition Tables Gotchas Decimal or Hex? Little Endian or Big Endian? Output to text? How do you get the text back to the “lab” for analysis? Output to file? Where will you put it? Don’t write to suspect’s HD!

>fdisk /dev/hda >x >d : eb48 906c c49 4c4f a00.H.lbaLILO....Z : f d f222 c000 01f3 22c0.....ht=."...." : 0001 f122 c a f522 c000 01f6..."....DZ." : 22c be22 c000 01bf 22c "...."...." : fa80 ca80 ea53....Q S : 7c c08e d88e d0bc 0020 fba0 407c : 3cff c2 52be 797d e834 01f6 c280 <.t...R.y} : 7454 b441 bbaa 55cd 135a fb55 tT.A..U..ZRrI..U : aa75 43a0 417c 84c e uC.A|..u....t7f : 8b4c 10be 057c c644 ff01 668b 1e44 7cc7.L...|.D..f..D| a0: c c08 c D...f.\..D b0: c cb4 42cd 1372 pf1..D.f.D..B..r 00000c0: 05bb 0070 eb7d b408 cd13 730a f6c2 800f...p.}....s d0: 84f0 00e9 8d00 be05 7cc6 44ff c |.D..f e0: 88f d288 cac1 e f0: 88f c0 88d0 c0e : 66a1 447c 6631 d266 f a66 31d2 f.D|f1.f.4.T.f : 66f b89 440c 3b44 087d 3c8a f.t..T..D.;D.}< : 540d c0e2 068a 4c0a fec1 08d1 8a6c 0c5a T.....L......l.Z : 8a74 0bbb ec3 31db b801 02cd 1372.t...p r : 2a8c c38e c60 1eb edb 31f6 *....H|` : 31ff fcf3 a51f 61ff cbe 7f7d e : 00eb 0ebe 847d e838 00eb 06be 8e7d e } } : 00be 937d e82a 00eb fe }.*...GRUB.G : 656f 6d b eom.Hard Disk.Re : f 7200 bb01 00b4 0ecd ad. Error a0: 10ac 3c00 75f4 c <.u b0: c0: fe 3f0c 3f e2f ?.?..../ d0: 010d 83fe ffff cd2f b1 d401 00fe /..x e0: ffff 82fe ffff 45e1 d701 bf21 1f00 00fe......E....! f0: ffff 83fe ffff 0403 f701 fc4f b102 55aa O..U. The Whole MBR

Use Unix/Linux dd Utility to View Partition Table dd if=/dev/hda bs=512 count=1 | xxd Partition table starts at 446 decimal = 0x1be : eb ed0 bc00 b0b ed8 8ec0.H {skip} 00001b0: b 786b xkxk c0: cfe fffe 3f c ?.....s d0: fe bf40 c1c b0 0f e0: fe ff c A.....y....% f0: aa U.

Partition Table Entries Try Decoding It By Hand… # Flag Type Starting LBA Address Size

Partition Table Entries # Flag Type Starting LBA Address Size 1 0x80 0x0C 0x F 0x0273C x00 0x82 0x0273C8C1 0x000FB x00 0x83 0x x022518C0 4 0x00 0x00 0x x Little Endian

Partition Table Entries # Flag Type Starting LBA Address Size 1 0x80 0x0C 0x F 0x0273C882 2 Bootable FAT 63 ~21 GB 3 0x00 0x83 0x x022518C0 4 0x00 0x00 0x x

Partition Table in English Partition 1  Bootable (0x80 at byte 0)  Type is Fat32 (0x0C at byte 4)  It starts at sector 3F, LBA (63 in decimal)  Its size is 0x0273C882 sectors About 41 million sectors in decimal 41M x 512 bytes = 20,992,000,000 = ~21 GB

Partition Table in English (cont.)‏ Partition 2  Not bootable (0x00 at byte 0)  Type is Linux Swap (0x82 at byte 4)  It starts at sector 41,142,465 in decimal  Its size is 0x000FB040 sectors About 1 million sectors in decimal 1M x 512 bytes = 512,000,000 = ~.5 GB

Partition Table in English (cont.)‏ Partition 3  Not bootable (0x00 in byte 0)  Type is Linux (0x83 at byte 4)  It starts at sector in decimal  Its size is 0x022518C0 sectors About 36 million sectors in decimal 36M x 512 bytes = 18,432,000,000 = ~18.5 GB

Partition Types Info

Real Example FAT 32 thumb drive,.5 Gb

Windows MBR Boot flag C, H, S Type Start LBASize (sectors) A cautionary tale: Little Endian!

Use fdisk to View Table fdisk /dev/hda Command (m for help): p Disk /dev/hda: 255 heads, 63 sectors, 4865 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID c

Extracting Partition Table fdisk – Linux and DOS, Windows >fdisk /dev/hda >p Disk /dev/hda: 40.0 GB, bytes 255 heads, 63 sectors/track, 4864 cylinders Units = cylinders of * 512 = bytes Device Boot Start End Blocks Id System /dev/hda1 * Linux /dev/hda Linux /dev/hda Linux swap >x >p Disk /dev/hda: 255 heads, 63 sectors, 4864 cylinders Nr AF Hd Sec Cyl Hd Sec Cyl Start Size ID

Lab Image the MBR of the RED USB drive in the lab Show why it is a MBR Decode the partition table

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.